MySchool Blog

The GDPR and school suppliers

Posted by Julian on 01 November 2017

As a controller, your school is responsible for the security and processing of all personal data you collect. This responsibility extends to the data you share with any third parties such as your suppliers. If one of your suppliers falls foul of the GDPR and the data you shared with them is compromised, the data protection authority may come knocking on your door. Although this may seem a little onerous, there is clear guidance on how to responsibly protect the data you share and how to legally protect yourselves.

Read More

Topics: General Data Protection Regulation, GDPR, Featured

GDPR - The Data Protection Officer

Posted by Julian on 31 July 2017

The appointment of a data protection officer is one of the more daunting requirements of the GDPR. The concept of the DPO has been around for a long time and a number of countries in the EU have had the requirement in place for a number of years, most notably, Sweden and Germany. The GDPR now makes this appointment mandatory across the EU regardless of the size of the organisation though there are other criteria that determine whether a DPO is required. Before we get in to the criteria, I'll cut to the chase: schools will almost certainly need a DPO.

Read More

Topics: General Data Protection Regulation, GDPR, Featured

GDPR Awareness. What you should do right now.

Posted by Julian on 27 April 2017

The thing about the GDPR is that it's not going away and it's not going to pass by silently on May 25th 2018. It's designed to make everyone sit up and take notice.

The truth is, current data protection action tends to be more reactive than proactive. The GDPR is designed to make the data controller, in this case schools, fully responsible for managing their students', staffs' and parents' data and to actively prove they comply with the regulation

Read More

Topics: General Data Protection Regulation, GDPR, Featured

Unpacking Personal Data under the GDPR

Posted by Julian on 28 March 2017

The GDPR defines personal data as:

"... any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"

Article 5 Principles relating to processing of personal data

To be clear, the 'data' element of 'personal data' refers to recorded information that is, or is intended, to be stored and processed electronically as part of a filing system.

Read More

Topics: GDPR, Security & Privacy, Featured

Consent in the GDPR

Posted by Julian on 06 March 2017

Consent is not a new concept and has been a core part of data protection & privacy laws for decades. However the GDPR raises the bar considerably on 'conditions for processing' personal data.

Simply put, 'consent' means obtaining clear permission to hold and process a person's data for a specific use. Although it is already required, practices such as 'opt out' have become common-place, e.g.  pre-ticked checkboxes to receive marketing material, making it more of an assumption of consent rather than explicit permission. The GDPR is far more explicit about what constitutes consent and aims to entirely remove this kind of deception.

Article 7 GDPR Conditions for consent

Read More

Topics: GDPR, Privacy

EU GDPR Summary for Schools

Posted by Julian on 01 February 2017

You may be wondering why we need new privacy laws.  As it stands, data privacy laws vary from country to country within the EU, with little harmonisation. This causes confusion, reduces trust and ultimately undermines the effectiveness of data privacy laws. The GDPR is intended as a 'one-stop-shop' bringing with it a high level of alignment across the European Union. This of course also makes it far easier to administer and enforce.

The following are the key elements of the GDPR. We'll be going into the details of each one of these in future blog posts. If you're not already subscribed, you can get email alerts as soon as we publish new articles.

Read More

Topics: GDPR, Privacy, Featured

General Data Protection Regulation (GDPR) glossary for schools

Posted by Julian on 16 December 2016

There are many specialised words and terms associated with the General Data Protection Regulation (GDPR). These are the most common ones.

Binding Corporate Rules (BCR)
Corporate rules to allow multinational organisations such as multi national school networks to safely and legally transfer data internally (within the organisation) but across EU borders.
Freely given, specific, informed and explicit consent by statement or action by the student, parent, staff member or any person signifying agreement to the processing of their personal data.  read more about consent
Data Controller
This is the school. Determines the purposes, conditions and means of the processing of personal data.
Read More

Topics: General Data Protection Regulation, GDPR, Security & Privacy

GDPR Introduction: New privacy law affecting school data security for students & staff.

Posted by Julian on 14 December 2016

What is GDPR?

The General Data Protection Regulation is the EU’s tough new privacy and data protection law designed to significantly strengthen all EU citizens' rights and security relating to the data you store about them. This includes students, staff and parent's right to legal action against the school or ‘student information system’ supplier and the right to compensation regarding misuse of their personal data.

Read More

Topics: General Data Protection Regulation, GDPR, Security & Privacy